IT audits generally cause panic in the IT department, as IT managers scramble for that folder of paperwork from the previous year to locate an Excel file where they log all the compliance requirements. Audits are a regular occurrence, but often cause unnecessary disruption, mainly because compliance is treated like something that should be performed annually, instead of a process that is built into workflows and schedules.
IT audits generally cause panic in the IT department, as IT managers scramble for that folder of paperwork from the previous year to locate an Excel file where they log all the compliance requirements. Audits are a regular occurrence, but often cause unnecessary disruption, mainly because compliance is treated like something that should be performed annually, instead of a process that is built into workflows and schedules.
Microsoft 365 Compliance Manager is often overlooked or just seen as Secure Score for Compliance, but it is more than just a dashboard that gives you points for implementing Data Loss Prevention (DLP). Microsoft’s compliance management solution allows you to monitor, improve, and maintain your adherence to regulations and accreditation requirements, rather than just reviewing it once a year. It differs from Secure Score because it is not just for analysing compliance based on implemented technologies but has manual controls that you can monitor and update.
Compliance related to technology is mainly handled by IT, but IT teams are generally not experts on compliance regulations, especially as there are so many of them, and they are constantly changing. With Compliance Manager, the compliance officer, and other stakeholders responsible for compliance, can be invited to be involved.
Assessments are based on templates. By default, Microsoft E3 users have access to the built-in Data Protection Baseline, which contains standard tasks for data protection that are common to most regulations and certifications. Customers with E5 licenses gain access to EU GDPR, NIST 800-53 and ISO 27001 templates. There are more than 300 other templates available, covering national and regional regulations as well industry certifications, some at additional cost. If that does not meet your criteria, you can create your own.
Some of the controls will be assessed automatically, for example, Enable multi-factor authentication for non-admins which is categorised as a high-risk control. Because this control is so important, complete implementation will earn 27 points towards the compliance score. This score is assessed automatically as it can be detected within Microsoft 365 and such a high-scoring control is a great way for a quick win.
On the other hand, some controls must be updated manually, for example, Block outdated ActiveX controls. Group policy settings for this control are available in the description but the status must be updated manually as this cannot be detected. It is possible to upload documents outlining your policies for this control so that this can be viewed by auditors during assessments.
Controls that need to be implemented can be assigned to appropriate members of the team to implement. Controls can be listed according to technology, so it is possible to assign an Exchange Online admin all the compliance controls related to that product. This person would update the status and add notes as necessary. Once that is done, someone else, maybe a member of the compliance team, can be assigned to test the control.
Some businesses will need to be compliant with multiple regulations or accreditations and these can be grouped together. When a control that is common in that group is marked complete, it will be updated for all other assessments in that group. No need to repeat the same action multiple times!
These are just some of the ways that Compliance Manager can help you get compliance under control by using a tool that continually assesses compliance, spreading the load through the year and reducing the stress, time and energy required at the annual assessment time.
If you’d like to engage with our specialists to learn more about Compliance Manager and how it could help make your role easier to manage during audits, get in touch with us today to schedule a call.